Re: Are CSP directives case insensitive? from Mike West on 2014-01-18 (public-webappsec@w3.org from January 2014)

From: Mike West <mkwst@google.com>
Date: Sat, 18 Jan 2014 03:58:45 +0100
To: John Wong <gokoproject@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=cVJMCywVE+NR7DujRbbvRFJJ6dMEP=GGKF5L_Otg0XrQ@mail.gmail.com>

Blink parses the directive names without regard for case:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/frame/ContentSecurityPolicy.cpp&rcl=1389972650&l=1452

I've added a note in
https://github.com/w3c/webappsec/commit/5607c0f12a99b357da3cc045cdb1f614d67d9cd5to
the spec to make that clear.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Sat, Jan 18, 2014 at 12:15 AM, John Wong <gokoproject@gmail.com> wrote:

> I happen to have this discussion again on #security with the Mozillians
> today.
> Issue: the 1.0 spec does not seem to specify whether directive names
> should be case insensitive or not (a quick glance on 1.1 draft also seems
> to be case as well). Correct me if I am wrong.
>
> Someone told me that since the grammar follows the ABNF, the following is
> implicit in CSP spec:
>
>       ABNF strings are case insensitive and the character set for these
>       strings is US-ASCII.
>
> http://www.ietf.org/rfc/rfc5234.txt
>
> It is worthwhile that we determine whether CSP directives should be case insensitive or not and write that into the spec explicitly.
>
>
> For Firefox's bug, please see https://bugzilla.mozilla.org/show_bug.cgi?id=938652
>
> Thanks.
>  Yeuk Hon
>
> On Mon, Oct 28, 2013 at 3:29 PM, John Wong <gokoproject@gmail.com> wrote:
>
>> Hi,
>>
>> The UA algorithm states we can take source expressions case insensitive.
>> What about directive names themselves? For example, 'self' and 'SELF' are
>> acceptable. [1]
>>
>> > If the source expression is a case insensitive match for 'self'(including the quotation marks)
>>
>> [1]: http://www.w3.org/TR/CSP/#parsing-1
>>
>> Thanks.
>>
>> Yeuk Hon
>>
>
>

Received on Saturday, 18 January 2014 02:59:34 UTC